On Tue, Mar 28, 2017 at 10:19:39AM +0200, Budai, László wrote:
no, I like your idea :) If it's not a problem to stop syslog-ng then drop some messages from the diskqueue and then start syslog-ng.
What about: # disables queue but does not remove file # e.g. by doing `mv syslog-ng-00000.qf syslog-ng-00000.qf.disabled` syslog-ng-ctl --mv-away-queue --reload # syslog-ng continues immediately with an empty queue # so sysadmin has time to curate the queue file # offline work on disabled queue file syslog-ng --cli-mode [… do some queue filtering on syslog-ng-00000.qf.disabled…] # now we're happy with old queue, tell running syslog-ng to process it syslog-ng-ctl --process-old-queue=syslog-ng-00000.qf.disabled Would that be doable?